CryptoWall ransomware uninstalls if it finds itself running on a PC in Russia, Belarus or Ukraine

CryptoWall ransomware dissected by Intel-led security group

The Cyber Threat Alliance, a group of security software, services and IT companies, claims to have cracked the CryptoWall ransomware - malware that encrypts the hard disk drives of infected PCs and demands a ransom be paid in bitcoin for the decryption key.

In a report, the group has dissected the malware, including its runtime details, file encryption and network communications.

One intriguing detail of CryptoWall, according to the group, is that should the malware identify that it is running on a PC located in Russia, Belarus, Ukraine, Kazakhstan, Armenia, Serbia or Iran, it will immediately uninstall itself. "This list of blacklisted countries provides minimal evidence that the attackers may be operating out of the Eastern European region," suggests the report.

It continues: "CryptoWall is one of many prominent ransomware malware families, which include TorrentLocker, TeslaCrypt and CTB-Locker, among others. The security community first discovered CryptoWall in June 2014. Since then, a number of variations of CryptoWall have surfaced. The third variant (version 3) began infecting machines in January 2015."

According to the group, CryptoWall has cost some $325m in ransom and damages, and version 3 alone has attempted more than 400,000 infections. It is spread via both phishing campaigns, which accounts for two-thirds of infections, and exploit kits, with the well-known Angler exploit kit the predominant one used.

"Angler is one of the most advanced crime kits available on the underground markets. It has the capability to inject its payload directly into the memory of the victim's machine running the exploited plug-in, without writing the malware on the drive. The payload is sent in an encrypted state. Angler supports a variety of vulnerabilities, mostly Flash. The group behind the crime kit is very responsive and known for quickly adapting newly discovered zero-days into their kit," according to the report.

The majority of Trojan files attached to phishing emails carry a ".scr" Microsoft Windows screensaver file extension, often obfuscated to appear as if they are Adobe PDFs or Microsoft Office documents.

The analysis goes on to provide a detailed, technical breakdown into how CrytpoWall works from the moment it infects a machine all the way through to how it communicates with the command-and-control servers.

The Cyber Threat Alliance was formed in September 2014 by Fortinet, Intel Security, Palo Alto Networks and Symantec, and now includes contributing members Barracuda Networks, ReversingLabs, Telefónica and Zscaler.